CN110213215A

CN110213215A - A kind of resource access method, device, terminal and storage medium

Info

Publication number: CN110213215A
Application number: CN201810893233.7A
Authority: CN
Inventors: 杨哲; 蔡晨; 周明辉; 蒙俊伸; 陈增萍; 张华彦; 李超俊; 王继超; 罗靖; 曹子涵; 杜闯; 蔡东赟
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Cloud Computing Beijing Co Ltd
Priority date: 2018-08-07
Filing date: 2018-08-07
Publication date: 2019-09-06
Anticipated expiration: 2038-08-07
Also published as: CN110213215B

Abstract

The embodiment of the invention discloses a kind of resource access method, device, terminal and storage mediums；The embodiment of the present invention sends access tickets acquisition request when needing to access resource, to network insertion client；The access tickets that network insertion client returns are received, access tickets are based on access tickets acquisition request by network insertion client and obtain from access control apparatus；Connection is sent to the gateway of network and establishes request, and connection establishes request and carries access tickets；When being successfully established connection, resource access request is sent to gateway based on connection, so that Resource Server of the gateway into network forwards resource access request；The program can promote resource resource security.

Description

A kind of resource access method, device, terminal and storage medium

Technical field

The present invention relates to network technique fields, and in particular to a kind of resource access method, device, terminal and storage medium.

Background technique

Traditional enterprise network access gets up tertiary-structure network by boundary wall, is absorbed in defence security boundary.Outside boundary Can not direct-connected corporate intranet, need by VPN (Virtual Private Network, Virtual Private Network) access look forward to Industry resource.In boundary, it is assumed that any equipment be all it is safe and reliable, only equipment access network when do one-time identity authentication, Certification, which accesses corporate resources by rear equipment, does not have any safety measure.Safety in city is guarded just as by city wall, only in city Verify at door into city personnel identity, it is assumed that there is bad person to try to verify by city gate, into city wall after do all unmanned prison of any bad thing Pipe.

As it can be seen that current enterprise network access way is typically all Border Protection mode, namely body is carried out in network boundary Part certification, however, Border Protection is once broken, illegal person will get all resources in network, the safety of resource It is poor.

Summary of the invention

The embodiment of the present invention provides a kind of resource access method, device, terminal and storage medium, can promote the peace of resource Quan Xing.

The embodiment of the present invention provides a kind of resource access method, is suitable for terminal, comprising:

When needing to access resource, access tickets acquisition request is sent to network insertion client；

The access tickets that the network insertion client returns are received, the access tickets are by the network insertion client It is obtained based on the access tickets acquisition request from access control apparatus；

Connection is sent to the gateway of network and establishes request, and the connection establishes request and carries the access tickets；

When being successfully established connection, resource access request is sent based on described connect to the gateway, so as to described Resource Server of the gateway into the network forwards the resource access request.

The embodiment of the present invention provides another resource access method, is suitable for gateway, comprising:

It receives the connection that terminal is sent and establishes request, the connection establishes request and carries the access tickets；

The checking request for carrying the access tickets is sent, to access control apparatus to access server to the access Bill is verified；

When the access tickets are verified, request is established according to the connection and establishes connection with the terminal；

Connection based on foundation receives the resource access request that the terminal is sent, and forwards the money to Resource Server Source access request.

The embodiment of the present invention provides another resource access method, is suitable for access control apparatus, comprising:

Receive the bill application request that terminal is sent；

Legal assessment information is requested according to the bill application request；

Determine whether current bill application request is legal according to the legal assessment information of the request；

If legal, then access tickets are sent to the terminal；

The checking request that gateway is sent is received, the checking request carries the access tickets；

The access tickets are verified, and send note validating result to the gateway.

The embodiment of the present invention also provides a kind of resource access device, is suitable for terminal, comprising:

Ticket requests unit, for sending access tickets acquisition to network insertion client and asking when needing to access resource It asks；

Ticket recipient unit, the access tickets returned for receiving the network insertion client, the access tickets by The network insertion client is based on the access tickets acquisition request and obtains from access control apparatus；

Connection unit establishes request for sending connection to the gateway of network, and the connection establishes request and carries institute State access tickets；

Access unit, for sending the resource based on described connect to the gateway when being successfully established connection Access request, so that Resource Server of the gateway into the network forwards the resource access request.

The embodiment of the present invention also provides a kind of resource access device, is suitable for gateway, comprising:

Request is established in receiving unit, the connection for receiving terminal transmission, and the connection establishes request and carries the access Bill；

Authentication unit, for sending the checking request for carrying the access tickets to access control apparatus, to access clothes Business device verifies the access tickets；

Connection unit, for establishing request and the terminal according to the connection when the access tickets are verified Establish connection；

Retransmission unit receives the service request that the terminal is sent for the connection based on foundation, and to service server Forward the service request.

The embodiment of the present invention also provides a kind of resource access device, is suitable for access control apparatus, comprising:

Receiving unit, for receiving the bill application request of terminal transmission；

Information acquisition unit, for requesting legal assessment information according to the bill application request；

Determination unit, for determining whether current bill application request is legal according to the legal assessment information of the request；

Bill transmission unit, for when the determination unit determines that current resource access request is legal, to the end End sends access tickets；

Second receiving unit, for receiving the checking request of gateway transmission, the checking request carries the access Bill；

Note validating unit sends note validating for verifying to the access tickets, and to the gateway As a result.

The embodiment of the present invention also provides a kind of storage medium, and the storage medium is stored with a plurality of instruction, and described instruction is suitable It is loaded in processor, to execute any resource access method suitable for terminal provided by the embodiment of the present invention Step.

The embodiment of the present invention also provides another storage medium, and the storage medium is stored with a plurality of instruction, described instruction It is loaded suitable for processor, to execute any resource access side suitable for gateway provided by the embodiment of the present invention Step in method.

The embodiment of the present invention also provides another storage medium, and the storage medium is stored with a plurality of instruction, described instruction It is loaded suitable for processor, is visited with executing any resource suitable for access control apparatus provided by the embodiment of the present invention Ask the step in method.

The embodiment of the present invention also provides a kind of terminal, including processor and memory, and the memory is stored with a plurality of finger It enables, processor load described instruction provides any resource access side suitable for terminal to execute the embodiment of the present invention Step in method.

The embodiment of the present invention also provides a kind of gateway, including processor and memory, and the memory is stored with more Item instruction, processor load described instruction provide any money suitable for gateway to execute the embodiment of the present invention Step in the access method of source.

The embodiment of the present invention also provides a kind of access control apparatus, including processor and memory, the memory storage There is a plurality of instruction, the processor load described instruction is provided to execute the embodiment of the present invention suitable for access control apparatus Step in any resource access method.

The embodiment of the present invention can send access tickets acquisition to network insertion client and ask when needing to access resource It asks；The access tickets that network insertion client returns are received, access tickets are obtained by network insertion client based on access tickets Request is obtained from access control apparatus；Connection is sent to the gateway of network and establishes request, and connection establishes request and carries access Bill；When being successfully established connection, resource access request is sent to gateway based on connection, so that gateway is into network Resource Server forward resource access request；All resource access can be acted on behalf of by gateway using the program to ask It asks, and controls legal terminal access network by issuing access tickets, so that terminal can not directly access the resource of Intranet, Only allow the accessible Intranet resource of credit process simultaneously；Even if user terminal is by hacker attacks in this way, hacker's work in terminal Tool also can not cause to invade to sensitive resource, the resource resource security greatly promoted.

Detailed description of the invention

To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for For those skilled in the art, without creative efforts, it can also be obtained according to these attached drawings other attached Figure.

Fig. 1 a is the structural schematic diagram of network system provided in an embodiment of the present invention；

Fig. 1 b is the flow diagram of resource access method provided in an embodiment of the present invention；

Fig. 1 c is the structural schematic diagram of resource access system provided in an embodiment of the present invention；

Fig. 1 d is the NGN client end interface schematic diagram that the embodiment of the present invention mentions；

Fig. 2 is another flow diagram of resource access method provided in an embodiment of the present invention；

Fig. 3 a is another flow diagram of resource access method provided in an embodiment of the present invention；

Fig. 3 b is another flow diagram of resource access method provided in an embodiment of the present invention；

Fig. 3 c is another structural schematic diagram of resource access system provided in an embodiment of the present invention；

Fig. 4 a is the first structural schematic diagram of resource access device provided in an embodiment of the present invention；

Fig. 4 b is second of structural schematic diagram of resource access device provided in an embodiment of the present invention；

Fig. 4 c is the third structural schematic diagram of resource access device provided in an embodiment of the present invention；

Fig. 5 a is the 4th kind of structural schematic diagram of resource access device provided in an embodiment of the present invention；

Fig. 5 b is the 5th kind of structural schematic diagram of resource access device provided in an embodiment of the present invention；

Fig. 6 a is the 6th kind of structural schematic diagram of resource access device provided in an embodiment of the present invention；

Fig. 6 b is the 7th kind of structural schematic diagram of resource access device provided in an embodiment of the present invention；

Fig. 6 c is the 8th kind of structural schematic diagram of resource access device provided in an embodiment of the present invention；

Fig. 6 d is the 9th kind of structural schematic diagram of resource access device provided in an embodiment of the present invention；

Fig. 7 is the structural schematic diagram of terminal provided in an embodiment of the present invention；

Fig. 8 is the structural schematic diagram of the network equipment provided in an embodiment of the present invention.

Specific embodiment

Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, those skilled in the art's every other implementation obtained without creative efforts Example, shall fall within the protection scope of the present invention.

The embodiment of the present invention provides a kind of business access method, apparatus, terminal and storage medium.

The embodiment of the present invention provides a kind of network system, which includes being suitable for eventually for any offer of the embodiment of the present invention The resource access device (referred to as first resource access mechanism) at end and suitable for access control apparatus resource access device (claim For Secondary resource access mechanism), which can integrate in the terminal, which can be mobile phone, plate Apparatus such as computer；The Secondary resource access mechanism can integrate in access control apparatus such as server.In addition, the system may be used also To include other equipment, for example, gateway etc..

With reference to Fig. 1 a, the embodiment of the invention provides a kind of network systems, comprising: terminal 10, gateway 20, access control Control equipment 30 and Resource Server 40.Wherein, terminal 10 can by network respectively with gateway 20, access control apparatus 30 connections.Resource Server 40 is connect by network with gateway 20.

Wherein, terminal 10 is equipped with network insertion client, and terminal 10 receives resource as worked as when needing to access resource When access request, access tickets acquisition request is sent to network insertion client；Receive the access that network insertion client returns Bill, access tickets are based on access tickets acquisition request by network insertion client and obtain from access control apparatus 30；Terminal 10 Connection is sent to the gateway 30 of network and establishes request, and connection establishes request and carries access tickets；When being successfully established connection, Terminal is based on connection and sends resource access request to gateway 20, so as to Resource Server 40 of the gateway 20 into network Forward resource access request.

In addition, terminal 10 can also obtain safety by the safe condition of network insertion client real-time detection terminal 10 Status information；Safety state information is sent to access control apparatus 30 by network insertion client, so as to access control apparatus 30 determine whether the safe condition of terminal 10 is abnormal according to safety state information；When access control apparatus 30 determines the peace of terminal 10 When total state exception, disconnecting instruction is sent to gateway 30；Gateway 30 according to disconnecting instruction breaks 10 with All connections between gateway 30.

The example of above-mentioned Fig. 1 a is a system architecture example for realizing the embodiment of the present invention, and the embodiment of the present invention is not It is limited to the system structure of above-mentioned Fig. 1 a, is based on the system architecture, proposes each embodiment of the present invention.

It is described in detail separately below.

In embodiments of the present invention, it will be described with the angle of resource access device, which specifically may be used To be integrated in the equipment such as terminal, such as mobile phone, laptop, tablet computer.

In one embodiment, a kind of resource access method is provided, this method can be executed by the processor of terminal, such as be schemed Shown in 1b, the detailed process of the resource access method be can be such that

101, when needing to access resource, access tickets acquisition request is sent to network insertion client.

In one embodiment, can when receiving resource access request (can determine need to access resource at this time), to Network insertion client sends access tickets acquisition request.

Wherein, resource access request can be by the applications trigger in terminal, for example, can be touched by the browser in terminal Hair；When user uses browser, corresponding resource access request can be sent by operation triggering, for example, code access is asked It asks, resource access request etc. of handling official business.It for example, can be when receiving the resource access request of application process transmission, to network It accesses client and sends access tickets acquisition request.

Wherein, access tickets acquisition request can carry service resources information, for example, the resource information etc. for needing to access Deng.

Resource access method provided in an embodiment of the present invention can pass through the gateway proxy process or module (i.e. sheet in terminal Ground gateway agent process or module) Lai Shixian；For example, working as gateway proxy process such as SmartGateAgent (intelligent gateway agency) When receiving resource access request, gateway proxy process can be to network insertion client request access tickets；It specifically, can be with Access tickets acquisition request is sent to network insertion client.

For example, with reference to Fig. 1 c, when gateway agent process receives the resource access request of browser triggering in terminal, net Closing agent process can be to network insertion client such as NGN (New Generation Network, next generation network) client Bill is requested access to, specifically, access tickets acquisition request can be sent to network insertion client.

In one embodiment, before accessing resource, terminal can also be registered to access control apparatus, to work as Preceding terminal and subscriber identity information carry out binding and Standardization instrument, and then can promote the safety of resource access.For example, this Inventive embodiments provide method before needing to access resource, can also include:

To access control apparatus sending device registration request, facility registration request carries subscriber identity information and terminal Equipment identification information；

When succeeding in registration, Standardization instrument processing is carried out to terminal by network insertion client.

Wherein, subscriber identity information may include: account, password, such as login account, the password of network insertion client Deng.

Wherein, Standardization instrument processing may include being standardized to application, firmware, system, various interfaces.Tool Body, Standardization instrument processing can be set according to actual needs.

With reference to Fig. 1 c, terminal is registered to access control apparatus first, after registering through, can pass through network insertion client End carries out Standardization instrument processing, then, resource access can be realized by gateway proxy process.For example, access control apparatus exists When receiving facility registration request, which can be requested parse, obtain subscriber identity information and terminal Facility information, then, access control apparatus can verify subscriber identity information, if be verified, by user's body Part information is bound with device identification, completes facility registration.For example, access control apparatus can verify system pair by account User account is verified.

In practical application, facility registration can be accessed in client process in user's logging in network and be realized, facility registration is asked It asks as logging request, for example, when needing to access resource, being first turned on terminal for the new employee in an enterprise Then the network insertion client of installation inputs user account and password login network insertion client, that is, terminal can be with Logging request is sent to access control apparatus, access control apparatus verifies the user account and password of request carrying, if It is verified, then returns and login successfully information, terminal can enter network insertion client, as shown in Figure 1 d.Access control Equipment can be when being verified, can be by the device identification (such as device id) of present terminal and subscriber identity information (such as user Name etc.) binding, and be stored in list of devices namely equipment baseline.

In one embodiment, terminal can be run with automatic trigger, and logging in network accesses client, for example, working as terminal When booting, the subscriber identity information automated log on network insertion client based on preservation；Specifically, step " is controlled to the access Control equipment sending device registration request ", comprising:

When terminal booting, in running background network insertion client；

Whether the historical user's identity information detected in the corresponding storage unit of the network insertion client fails；

If it is not, then extracting historical user's identity information from the storage unit；

According to historical user's identity information from trend described in access control apparatus sending device registration request.

For example, terminal detects the slow of NGN client in backstage automatic running NGN client when user opens terminal (subscriber identity information can log in the user identity that NGN client uses to the subscriber identity information saved in memory cell before Information) whether fail, if it is not, then logging request, the equipment of the logging request carried terminal can be sent to access control apparatus Identification information and the subscriber identity information of preservation；Access control apparatus verifies subscriber identity information, if being verified, Then allow to log in, and facility information and subscriber identity information are bound.

In one embodiment, when historical user's identity information fails, the user identity letter of user's input can also be obtained Breath, then, to access control apparatus sending device registration request, which asks the subscriber identity information based on user's input Seek the subscriber identity information of the equipment identification information that carried terminal is current and user's input.

For example, terminal detects the slow of NGN client in backstage automatic running NGN client when user opens terminal (subscriber identity information can log in the user identity that NGN client uses to the subscriber identity information saved in memory cell before Information) whether fail, if failure, shows the login interface of NGN client, the information input of login interface is directed to according to user Operation obtains the subscriber identity information of user's input, it is then possible to send logging request, the logging request to access control apparatus The facility information of carried terminal and the subscriber identity information of user's input；Access control apparatus tests subscriber identity information Card, if being verified, allows to log in, and equipment identification information and subscriber identity information are bound.102, network is received The access tickets that client returns are accessed, access tickets are based on access tickets acquisition request by network insertion client and control from access Control equipment obtains.

Wherein, access tickets can need authentication information to be used for access resource, for example, can be the information such as password.

It, can be to access control apparatus application for providing when network insertion client receives access tickets acquisition request The access tickets of source access.For example, network insertion client can send access tickets application request to access control apparatus, visit Ask that control equipment can request to issue or send corresponding access tickets to network insertion client according to access tickets application.

After network insertion client receives the access tickets that access control apparatus is issued, access tickets can be returned Give gateway proxy process.

With reference to Fig. 1 c, when network insertion client such as NGN client receives the access tickets of gateway proxy process transmission It, can be to access control apparatus application resource access tickets when acquisition request.For example, network insertion client such as NGN client It can be requested to access control apparatus access tickets application；Access control apparatus can be requested according to access tickets application to network Corresponding access tickets are issued or sent to access client.

In one embodiment, access control apparatus can request legal assessment to be believed according to access tickets application request Breath, then, according to requesting legal assessment information determines whether current resource access request is legal, if legal, then such as to terminal Network insertion client sends or issues access tickets.

Wherein, request legal assessment information be for assess or determine bill application request whether legal reference information, For example, may include: the resource information etc. that subscriber identity information, the facility information of terminal, progress information, needs access.

Wherein, subscriber identity information may include: user's login account, password, employee number, position, portion locating for user Door etc. information.In addition, subscriber identity information can also include: the access authority information of user, access object information etc..

Wherein, facility information may include the type of equipment, the binding information of equipment and user information, Standardization instrument or Initialization information etc..

Wherein, progress information may include: the currently running progress information of terminal, the progress information for needing to access resource, For example, process identification (PID), process type, security information (such as dangerous or security level) of process etc..

Wherein, the resource information for needing to access may include the Resource Properties information for currently needing to access, for example, resource name Title, resource address, resource size etc..

In the embodiment of the present invention, request legal assessment information acquiring pattern can there are many, for example, access tickets application is asked The legal assessment information of request can be carried by asking, at this point, can request access tickets application to parse can for access control apparatus To obtain requesting legal assessment information.

In one embodiment, access control apparatus also requests legal assessment information to terminal request, for example, working as access control Equipment receives access tickets

103, connection being sent to the gateway of network and establishing request, connection establishes request and carries access tickets.

Wherein, network can be local area network, which can be the computer interconnected network of a small range, such as Intranet, For example Intranet etc..

Wherein, gateway provides the computer system or equipment of Data Conversion Service between being thought as multiple networks.Net Closing equipment is exactly the connector between different nets, is exactly that data will setting by " negotiation " when netting from a net to another It is standby.The gateway can be SmartGate (intelligent gateway), such as non-boundary intelligent gateway.

The embodiment of the present invention can pass through net before establishing connection after gateway proxy process receives resource access request Network accesses client application access tickets, and then, access tickets and gateway based on application establish connection, for example, with net It closes equipment and establishes TCP (Transmission Control Protocol transmission control protocol) connection.

In one embodiment, in order to promote the safety that resource accesses, encryption connection or encrypted tunnel can also be established.

It, can be to the access tickets of request carrying after request is established in the connection that gateway receives gateway transmission It is verified or is verified, verified for example, access tickets are sent to access control apparatus, if being verified, gateway is set It is standby to establish connection with terminal.

104, when being successfully established connection, resource access request is sent to gateway based on connection, so as to gateway Resource Server into network forwards resource access request.

For example, the resource access request of application process can be forwarded to gateway based on connection.For example, when terminal is surfed the Internet When pass agent process receives the resource access request of application process (such as browser) transmission, it can send and visit to NGN client Ask that bill acquisition request, NGN client can obtain access ticket from access control apparatus based on the access tickets acquisition request According to, and return to gateway proxy process；Gateway proxy process can establish connection according to the access tickets and gateway, when even It connects when being successfully established, it can be by the connection to gateway resource access request.

For example, when establishing encrypted tunnel or connection, terminal can be based on the encrypted tunnel or connect to net with reference to Fig. 1 c It closes equipment and sends resource access request such as office (OA) resource access request, after gateway receives the resource access request, The resource access request can be forwarded to corresponding Resource Server (such as OA Resource Server) in Intranet, to realize in access Net resource.

In one embodiment, for gateway, request is established in the connection that gateway can receive terminal transmission, Connection establishes request and carries access tickets；The checking request for carrying access tickets is sent, to access control apparatus to access clothes Business device verifies access tickets；When access tickets are verified, request is established according to connection and establishes connection with terminal；Base The resource access request that terminal is sent is received in the connection of foundation, and forwards resource access request to Resource Server.

In one embodiment, to promote resource access security, resource access request carries access tickets；At this point, step " forwarding resource access request to Resource Server " may include:

To access control apparatus send carry access tickets checking request, so as to access control apparatus to access tickets into Row verifying；

When access tickets are verified, resource access request is forwarded to Resource Server.

In one embodiment, in order to promote resource access security, can be arranged for the connection of foundation a validity period； When being not up to the validity period of connection, the connection can be used and send resource access request, when reaching the validity period of connection, then Resource access request is sent without using the connection.For example, step " sends resource access based on described connect to the gateway Request ", may include:

Determine whether the validity period of the connection reaches；

If it is not, then sending the resource access request based on described connect to the gateway.

In one embodiment, when reaching the validity period of connection, the access that please can look for novelty to network insertion client again Then bill re-establishes new connection based on new access tickets and gateway, turned based on new connection to gateway Send out resource access request.

In one embodiment, it in order to promote the safety of resource, upon establishment of a connection, when accessing resource every time, needs to send out Access tickets are sent to be verified, when being verified, resource access request can be just forwarded to corresponding resource service by gateway Device.

For example, the resource access request can also carry access tickets and business information；Gateway receives resource visit The access tickets can be sent after requesting to access control apparatus by, which asking, is verified, if being verified, gateway can basis Business information forwards the resource access request to corresponding Resource Server.

In one embodiment, in order to promote the safety of resource, network insertion client can be with real-time monitoring terminal Safe condition, and safety state information is sent to access control apparatus, so that access control apparatus is true based on safety state information Whether the safe condition for determining terminal is abnormal.For example, method provided in an embodiment of the present invention can also include:

By the safe condition of network insertion client real-time detection terminal, safety state information is obtained；

By network insertion client to access control apparatus send safety state information, so as to access control apparatus according to Safety state information determines whether the safe condition of terminal is abnormal.

For example, the safe condition of network insertion client such as NGN client real-time detection terminal can be passed through with reference to Fig. 1 c Then information reports the safety state information to access control apparatus in real time or periodically.

Wherein, safety state information may include: heartbeat data, secure data (such as wooden horse, patch, system log etc. Data), progress information (such as process identification (PID), carry out security level), facility information (such as tie up by Standardization instrument information, equipment Determine information etc.), interface message (security information of such as api interface, interface recalls information etc.), resource access log information Deng.

Access control apparatus can be in real time according to the safe condition that safety state information determines terminal be received, when discovery is whole It, can be with all connections between notification gateway device interrupt and terminal, to promote resource access when the safe condition exception at end Safety.

For example, in one embodiment, when access control apparatus determines that the safe condition of terminal is abnormal according to safe condition When, disconnecting instruction can be sent to gateway, at this point, gateway can also receive the company of access control apparatus transmission Connect interrupt instruction；According to all connections of the disconnecting instruction breaks and the terminal.From the foregoing, it will be observed that the embodiment of the present invention When needing to access resource, access tickets acquisition request is sent to network insertion client；Network insertion client is received to return Access tickets, access tickets by network insertion client be based on access tickets acquisition request from access control apparatus obtain；To The gateway of network sends connection and establishes request, and connection establishes request and carries access tickets；When being successfully established connection, it is based on It connects to gateway and sends resource access request, so that Resource Server forwarding resource access of the gateway into network is asked It asks.The program can act on behalf of all resource access requests by gateway, and conjunction is controlled by issuing access tickets Method accessing terminal to network so that terminal can not directly access the resource of Intranet, while only allowing the accessible Intranet of credit process Resource；Even if user terminal is by hacker attacks in this way, the hack tool in terminal also can not cause to invade to sensitive resource, significantly The resource resource security of promotion.

In addition, the embodiment of the present invention can also report safety state information to access control apparatus in real time, access control is set The standby safe condition for determining terminal in real time, if noting abnormalities, all connections of notification gateway device interrupt and terminal, further Promote resource resource security.

In embodiments of the present invention, it will be described with the angle of another resource access device, the resource access device Specifically it can integrate in access control apparatus, such as server equipment.

In one embodiment, a kind of resource access method is provided, this method can be by the processor of access control apparatus It executes, as shown in Fig. 2, the detailed process of the resource access method can be such that

201, the bill application request that terminal is sent is received.

Wherein, bill application request can be sent by the network insertion client of terminal, for example, the network insertion visitor of terminal When family termination receives the access tickets acquisition request of gateway proxy process transmission, bill application can be sent to access control apparatus Request.

202, legal assessment information is requested according to bill application request.

Wherein, request legal assessment information for for assessing or determining the whether legal reference information of resource access request, For example, may include: the resource information etc. that subscriber identity information, the facility information of terminal, progress information, needs access.

In the embodiment of the present invention, terminal can actively be sent to access control apparatus, for example, bill application request can be taken Band requests legal assessment information, at this point, access control apparatus can be believed the legal assessment of request is parsed in bill application request Breath.

In one embodiment, access control apparatus can also be when receiving bill application request, from terminal acquisition request Legal assessment information.

203, whether legal according to requesting legal assessment information to determine current resource access request, if so, executing step Rapid 204, if it is not, then refusal issues access tickets etc..

In one embodiment, access control apparatus can successively carry out terminal security judgement, the legal judgement of request process, use Whether the operation such as family authentication, authorization check is legal with the current bill application request of determination.

For example, when request it is legal assessment information include: progress information, need access resource information, facility information and When subscriber identity information, step " according to requesting legal assessment information to determine whether current bill application request is legal " can be with Include:

Determine whether terminal is safe according to the legal assessment information of request；

If safety, determines whether the process of current accessed resource is legal according to progress information；

If legal, then it is verified according to identity of the subscriber identity information to current request user；

If being verified, the resource access authority of current request user is verified；

If verification passes through, it is determined that current bill application request is legal.

It in one embodiment, can be according to the security level for requesting legal assessment information acquisition terminal, when security level is big When predetermined level, terminal security is determined.

In one embodiment, in order to promote the safety that resource accesses, the heartbeat situation and use of terminal be can be combined with The resource access behavior at family requests whether legal, the accuracy of the legal judgement of promotion request to determine.For example, the embodiment of the present invention Resource access method can also include:

Obtain the heartbeat data that terminal sends the resource access log of request user and terminal is sent；

At this point, step " according to requesting legal assessment information to determine whether terminal is safe ", may include:

Determine whether the heartbeat of terminal is abnormal, obtains heartbeat abnormal results according to heartbeat data；

Anomaly analysis is carried out to the resource access behavior of request user according to resource access log, obtains abnormal behavior analysis As a result；

According to heartbeat abnormal results, abnormal behavior analysis result and the legal assessment information of request, the safety of terminal is obtained Grade；

When security level is greater than predetermined level, terminal security is determined.

Wherein, heartbeat data can be reported in real time or periodically by terminal, for example, completing to set when terminal device succeeds in registration It, can be with real-time report heartbeat data to access control apparatus after standby standardization.

Wherein, requesting the resource access log of user can obtain from log storage system or in terminal, specifically obtain Mode is taken to set according to actual needs, for example, terminal can also be after facility registration success, real-time report resource access log Deng.

For example, when the heartbeat data of terminal stops transmission, i.e. heartbeat exception, but access control is set in some scenes It is standby to receive ticket requests, at this point it is possible to determine that resource access is risky, then can determine that request is illegal, do not issue Access tickets are sent out to forbid resource to access.

In another example access control apparatus is according to the access log analysis request user same time not in some scenes When same place accesses resource, at this point, determining that Current resource access is risky, then can determine that request is illegal, do not issue Access tickets are to forbid resource to access.

In one embodiment, it in order to promote the safety that resource accesses, can also be issued only for the equipment of registered mistake Send out access tickets；Due to registered equipment, all can in list of devices, therefore, based in list of devices with the presence or absence of with Family binding equipment come determine Current resource access whether safety.Specifically, present invention method can also include:

List of devices is obtained, list of devices includes the equipment identification information and subscriber identity information mutually bound；

It determines that list of devices whether there is the equipment identification information with the binding of the subscriber identity information of request user, obtains equipment Definitive result；

At this point, step " according to heartbeat abnormal results, abnormal behavior analysis result and the legal assessment information of request, obtains The security level of terminal " may include:

According to equipment definitive result, heartbeat abnormal results, abnormal behavior analysis result and the legal assessment information of request, obtain Take the security level of terminal.

For example, in some scenes, when determining whether terminal is safe, it is also necessary to consider whether present terminal has carried out Facility registration can have the equipment identification information of terminal and the use of identification information binding if registration generally in list of devices Family identity information；Assuming that there is no the equipment identification informations with request subscriber identity information binding in list of devices, then at this point, It can determine that resource access is risky, the security level of terminal can be reduced, so that it is determined that request is illegal, do not issue access ticket Resource is forbidden to access accordingly.

In one embodiment, in order to promote the safety that resource accesses, access control apparatus is determining whether request is legal When issuing access tickets, it is also necessary to be verified to the resource access authority of current request user；For example, in current request user Authentication when passing through, then do not issue access tickets to forbid resource to access.Specifically, step is " to current request user's Resource access authority is verified ", may include:

Obtain the default access letter of attribute information and to be visited resource of the current request user in default organizational structure Breath；

According to attribute information and default access information, the resource access authority of current request user is verified.

Wherein, default organizational structure can be with most basic structures such as the operating of the process of enterprise, Department formation and function planning.

Wherein, attribute information of the user in organizational structure may include: department locating for user, position locating for user Etc..

It in one embodiment, can be according to attribute information acquisition request user pair of the request user in default organizational structure The authority information of resource to be visited matches the authority information with default access information, if successful match, it is determined that current The resource access authority verification of request user passes through, and otherwise, does not pass through.

In one embodiment, in order to promote the flexibility that resource accesses, the access control of resource to be visited can be pre-configured with Tactful (for example specifying which employee accessible) is made, at this point, can also use according to current request when verifying to permission The subscriber identity information and access control policy at family verify the resource access authority of current request user.For example, working as When the identity information of user being requested to be identity information as defined in access control policy, it can determine and authorization check is passed through, otherwise Do not pass through.

In one embodiment, subscriber identity information can be stored in when access control apparatus gets subscriber identity information In caching, and certain validity period is set；When being verified to user identity, if the subscriber identity information in caching has Effect then directly carries out authentication according to the subscriber identity information of caching；If the user identity in caching newly fails, need The subscriber identity information of request user is reacquired, such as, it is desirable that it is close that request user in terminal side re-enters user account Code etc..

204, access tickets are sent to terminal.

By the mode of above-mentioned introduction, access control apparatus can determine whether current bill application request is legal. When determining legal, the available access tickets of access control apparatus, and to the network insertion client of terminal such as NGN client Send the access tickets.

205, the checking request that gateway is sent is received, checking request carries access tickets.

When the network insertion client of terminal receives access tickets, the access ticket can be returned to gateway proxy process According to；Gateway proxy process can establish connection or channel according to the access tickets and gateway, for example, gateway proxy process can Request is established to send connection to gateway.When being successfully established connection, gateway proxy process can be based on the connection to net It closes equipment and sends resource access request.

206, access tickets are verified, and sends note validating result to gateway.

When gateway, which receives connection, establishes request, gateway can be parsed out connection and establish the access that request carries Bill, and the checking request for carrying the access tickets is sent to access control apparatus.Access control apparatus receives the verifying and asks When asking, which can be verified, for example, whether detect the access tickets legal (for example, whether validity period reaches It whether is access tickets oneself issued etc. to, access tickets).

In one embodiment, the method for the present invention can also include:

Receive the facility registration request that terminal is sent, the equipment that facility registration request carries subscriber identity information and terminal Identification information；

Subscriber identity information is verified；

If being verified, equipment identification information is bound with subscriber identity information, and update list of devices.

In practical application, facility registration can be accessed in client process in user's logging in network and be realized, facility registration is asked It asks as logging request.For example, terminal can send logging request to access control apparatus, which carries user identity The equipment identification information of information (account number cipher etc.) and terminal；Access control apparatus can test subscriber identity information Card, for example user's login account password is verified by account number cipher system, if being verified, logging in network is allowed to connect Enter client, and equipment identification information and subscriber identity information are bound, and update list of devices, completes login and equipment Registration.

It in one embodiment, is the safety for further promoting resource access, the peace that can be sent with real-time reception terminal Full state information determines whether the safe condition of terminal is abnormal according to safety state information；If abnormal, sent to gateway Disconnecting instruction.

From the foregoing, it will be observed that the embodiment of the present invention receives the bill application request that terminal is sent；According to bill application request Request legal assessment information；Determine whether current bill application request is legal according to the legal assessment information of request；If legal, then Access tickets are sent to terminal；The checking request that gateway is sent is received, checking request carries access tickets；To access tickets It is verified, and sends note validating result to gateway.The program can act on behalf of all resources by gateway and visit It asks request, and controls legal terminal access network by issuing access tickets, so that terminal can not directly access Intranet Resource, while only allowing the accessible Intranet resource of credit process；It is black in terminal even if user terminal is by hacker attacks in this way Objective tool also can not cause to invade to sensitive resource, the resource resource security greatly promoted.

Citing, is described in further detail by the method according to described in above-described embodiment below.

Terminal will be integrated in first resource access mechanism in one embodiment, Secondary resource access mechanism basis is accessing For controlling equipment, to further illustrate resource access method of the invention.

The resource with reference to shown in Fig. 1 a accesses system, and it may include: terminal, gateway, access which, which accesses system, Control equipment and Resource Server.

Wherein, terminal is equipped with network insertion client (such as NGN client), gateway proxy process and browser.

With reference to Fig. 3 a and Fig. 3 b, it is based on above-mentioned resource access process, as follows:

301, when gateway proxy process receives resource access request, access tickets is sent to network insertion client and are obtained Request.

For example, in one embodiment, (can determine need at this time when gateway proxy process receives resource access request Access resource) when, gateway proxy process sends access tickets application request to network insertion client.

Wherein, access tickets acquisition request can carry current business information etc..

With reference to Fig. 3 c, when gateway agent process receives the resource access request of browser triggering in terminal, gateway generation Reason process can be to network insertion client such as NGN (New Generation Network, next generation network) client request Access tickets specifically can send access tickets acquisition request to network insertion client.

In one embodiment, before accessing resource, terminal can also be registered to access control apparatus, to work as The equipment identification information of preceding terminal is bound with subscriber identity information, and then can promote the safety of resource access.For example, Method provided in an embodiment of the present invention can also be registered to access control apparatus sending device and be asked before needing to access resource It asks, facility registration request carries the equipment identification information of subscriber identity information and terminal；When facility registration success, terminal can To carry out Standardization instrument processing by network insertion client such as NGN client.

For example, terminal is registered to access control apparatus first with reference to Fig. 3 c, after registering through, gateway generation can be passed through Reason process realizes resource access.For example, access control apparatus can ask the facility registration when receiving facility registration request It asks and is parsed, obtain the facility information of subscriber identity information and terminal, then, access control apparatus can be to user identity Information is verified, if be verified, subscriber identity information and equipment identification information are bound, and completes equipment note Volume.User account is verified for example, access control apparatus can verify system by account.

In one embodiment, in order to promote the safety of resource, network insertion client can be with real-time monitoring terminal Safe condition, and safety state information is sent to access control apparatus, so that access control apparatus is true based on safety state information Whether the safe condition for determining terminal is abnormal.

For example, network insertion client can obtain safe condition letter with the safe condition of real-time detection terminal with reference to Fig. 3 c Breath；Safety state information is sent to access control apparatus in real time.

Wherein, safety state information may include: heartbeat data, secure data (such as wooden horse, patch, system log etc. Data), progress information (such as process identification (PID), carry out security level), facility information (such as tie up by Standardization instrument information, equipment Determine information etc.), interface message (security information, the interface use information of such as api interface) etc..For example, network insertion Client can monitor API by API monitoring module, and report monitoring data etc..

Access control apparatus can be in real time according to the safe condition that safety state information determines terminal be received, when discovery is whole It, can be with all connections between notification gateway device interrupt and terminal, to promote resource access when the safe condition exception at end Safety.For example, can send disconnecting instruction to gateway, gateway is according to disconnecting instruction breaks and terminal All connections, it is ensured that the safety of resource.

With reference to Fig. 3 c, access control apparatus is integrated with access control engine, and access control apparatus is held in the embodiment of the present invention Capable operation can be realized by access control engine.The access control engine may include: heartbeat service module, security centre (SOC) module, security configuration module, equipment base line module and user behavior analysis module.

Wherein, heartbeat service module specifically, receives the heartbeat data of terminal real-time report for providing heartbeat service, And heartbeat data is responded.

Wherein, SOC module, for storing secure data, for example, the system log of equipment, resource access log, terminal Progress information, standardized information etc., and access behavioral data according to user resources and determine whether terminal abnormal etc..

Wherein, security configuration module, for configuring secure access strategy, such as configurating terminal safe condition for technical staff The strategy of exception, the strategy for issuing access tickets, resource access authority, security level calculate vehicle etc..

Wherein, user behavior analysis module, for being divided according to resource access log the resource access behavior of user It analyses (for example can be analyzed based on the secure data in SOC module), obtains behavioural analysis as a result, so that access control engine can be with According to the security level of the computing terminals such as behavioural analysis result, heartbeat abnormal results, the legal assessment information of request to confirm that end End equipment whether safety etc..

In one embodiment, access control apparatus can safety state information based on terminal real-time report and from safety The safety state information that system (such as SOC module) obtains, to determine the safe condition of terminal.

In one embodiment, access control engine can also include post-audit module, for obtaining business access log If cloud disk access log (can obtain) from security system, the path of business access request is determined according to business access log, And judge whether business access request sends by gateway, if not, it is determined that business access is abnormal, can be set with notification gateway Standby middle connection breaking, and reminding technology personnel.

302, network insertion client sends bill application request to access control apparatus according to access tickets acquisition request.

For example, network insertion client can be according to access tickets acquisition request, the legal assessment information of acquisition request, so Afterwards, corresponding bill application is generated according to the legal assessment information of request to request, and send the bill application to access control apparatus Request.

303, access control apparatus can request legal assessment information according to bill application request.

For example, in one embodiment, it, can be to bill application when bill application, which requests to carry, requests legal assessment information Request, which is parsed to obtain, requests legal assessment information.

For another example, in one embodiment, access control apparatus can also be requested according to bill application from security system, or The legal assessment information of acquisition request in terminal.The security system can be located at access control apparatus, can also be by other equipment reality It is existing.

304, access control apparatus determines whether current bill application request is legal according to the legal assessment information of request, if It is legal, then follow the steps 305.

Access tickets are issued when access control apparatus determines that current bill application request is legal, when illegal, are refused Access tickets are issued absolutely.

For example, when request it is legal assessment information include: progress information, need access resource information, facility information and When subscriber identity information, access control apparatus determines whether terminal is safe according to the legal assessment information of request；If safety, basis Progress information determines whether the process of current accessed resource is legal；If legal, then current request is used according to subscriber identity information The identity at family is verified；If being verified, the resource access authority of current request user is verified；If verification is logical It crosses, it is determined that current bill application request is legal.

For example, in one embodiment, in order to promote the safety of resource access, can be combined with terminal heartbeat situation, The resource access behavior of list of devices binding situation and user request whether legal, the standard of the legal judgement of promotion request to determine True property.Access control apparatus can determine whether the heartbeat of terminal is abnormal, obtains heartbeat abnormal results according to heartbeat data；According to Resource access log carries out anomaly analysis to the resource access behavior of request user, obtains abnormal behavior analysis result；Determination is set Standby list whether there is the equipment identification information with the binding of the subscriber identity information of request user, obtain equipment definitive result；According to Equipment definitive result, heartbeat abnormal results, abnormal behavior analysis result and the legal assessment information of request, obtain the safety of terminal Grade；When security level is greater than predetermined level, terminal security is determined.

In one embodiment, the mode of resource access authority verification may include: to obtain current request user in preset group The default access information of attribute information and resource to be visited in stretching frame structure；Believed according to attribute information and default access Breath, verifies the resource access authority of current request user.

305, access control apparatus sends access tickets to network insertion client.

306, network insertion client returns to the access tickets to gateway proxy process.

307, gateway proxy process sends the foundation request that connection carries access tickets to the gateway of network.

In one embodiment, in order to promote the safety that resource accesses, encryption connection or encrypted tunnel can also be established.? That is, gateway proxy process sends encrypted tunnel to gateway or channel establishes request.

308, gateway sends the checking request for carrying access tickets to access control apparatus.

309, access control apparatus verifies access tickets, and sends note validating result to gateway.

Wherein, note validating result may include being verified or verifying not passing through.

310, when bill is verified, gateway and terminal establish connection.

For example, gateway can establish encrypted tunnel with terminal when bill is verified.

311, gateway proxy process sends resource access request to gateway by the connection established.

312, gateway forwards the resource access request to Resource Server.

For example, when establishing encrypted tunnel or connection, terminal can be based on the encrypted tunnel or connect to net with reference to Fig. 3 c It closes equipment and sends resource access request such as office (OA) resource access request, after gateway receives the resource access request, The resource access request can be forwarded to corresponding Resource Server (such as OA Resource Server) in Intranet, to realize in access Net resource.

Using scheme provided in an embodiment of the present invention, the new employee of enterprise can log in after installing NGN client NGN client completes Standardization instrument, then can access network and accesses resource, and the access control apparatus when accessing resource Access tickets can be issued based on safe condition, resource access etc. is realized by access tickets.

For the old employee of enterprise, when opening terminal such as computer every time, terminal can be automatically operated NGN client, and It logs in NGN client and completes Standardization instrument, then can access network and access resource.

Using scheme provided in an embodiment of the present invention, terminal can not directly access Intranet resource such as corporate resources, and terminal must Network insertion client such as NGN client must be installed, all user networks requests pass through gateway such as NGN intelligent gateway generation Reason；Hacker can be prevented to access internal resource using illegality equipment；Meanwhile only allowing credit process in the embodiment of the present invention Accessible sensitive resource, even if user computer, by hacker attacks, the hack tool on computer can not also cause sensitive resource Invasion.

In addition, terminal with care testing device security state of terminal and can report in scheme provided in an embodiment of the present invention To access control apparatus, access control apparatus carries out access device real-time by analyzing each road safe state data merger Security rating, dynamic regulation equipment access authority, further improves resource access security.

In addition, it is core that scheme provided in an embodiment of the present invention, which is based on " people+equipment+process ", compared to based on " people+set It is standby " traditional scheme, the protection of proceeding graininess is finer, more acurrate, safer.

In order to better implement above method, the embodiment of the present invention also provides a kind of resource access device, resource access Device specifically can integrate in the equipment such as terminal, which can be view tablet computer, laptop, mobile phone etc..

For example, as shown in fig. 4 a, which may include ticket requests unit 401, ticket recipient unit 402, connection unit 403 and access unit 404 are as follows:

Ticket requests unit 401, for sending access tickets to network insertion client and obtaining when needing to access resource Request；

Ticket recipient unit 402, the access tickets returned for receiving the network insertion client, the access tickets The access tickets acquisition request is based on by the network insertion client to obtain from access control apparatus；

Connection unit 403 establishes request for sending connection to the gateway of network, and the connection is established request and carried The access tickets；

Access unit 404, for sending resource visit based on described connect to the gateway when being successfully established connection Request is asked, so that Resource Server of the gateway into the network forwards the resource access request.

In one embodiment, with reference to Fig. 4 b, which can also include safety detection unit 405；

Safety detection unit 405, can be used for:

By the safe condition of the network insertion client real-time detection terminal, safety state information is obtained；

Safety state information is sent to the access control apparatus by the network insertion client, so as to the access Control equipment determines whether the safe condition of terminal is abnormal according to the safety state information.

In one embodiment, with reference to Fig. 4 c, which can also include registering unit 406；

Registering unit 406, can be used for: Xiang Suoshu access control apparatus sending device registration request, the facility registration Request carries the facility information of subscriber identity information and terminal；

Standard processing unit 407, for carrying out equipment standard to terminal by network insertion client when succeeding in registration Change processing.

In one embodiment, the access unit 404, can be specifically used for:

Determine whether the validity period of the connection reaches；

In one embodiment, registering unit 406 can be used for:

When terminal booting, in running background network insertion client；

From the foregoing, it will be observed that the embodiment of the present invention is when needing to access resource, it is objective to network insertion by ticket requests unit 401 Family end sends access tickets acquisition request；The access ticket that the network insertion client returns is received by ticket recipient unit 402 According to the access tickets are based on the access tickets acquisition request by the network insertion client and obtain from access control apparatus It takes；Connection is sent to the gateway of network from connection unit 403 and establishes request, and the connection establishes request and carries the access Bill；When being successfully established connection, described connect to the gateway is based on from access unit 404 and sends the resource access Request, so that Resource Server of the gateway into the network forwards the resource access request.The program can be with All resource access requests are acted on behalf of by gateway, and legal terminal access net is controlled by issuing access tickets Network so that terminal can not directly access the resource of Intranet, while only allowing the accessible Intranet resource of credit process；Even if in this way By hacker attacks, the hack tool in terminal also can not cause to invade user terminal to sensitive resource, the resource peace greatly promoted Quan Xing.

In order to better implement above method, the embodiment of the present invention also provides another resource access device, which visits Ask that device specifically can integrate in gateway.

For example, as shown in Figure 5 a, which may include receiving unit 501, authentication unit 502, connection list Member 503 and retransmission unit 504, as follows:

Request is established in receiving unit 501, the connection for receiving terminal transmission, and the connection establishes request and carries the visit Ask bill；

Authentication unit 502, for sending the checking request for carrying the access tickets to access control apparatus, to access Server verifies the access tickets；

Connection unit 503, for establishing request and the end according to the connection when the access tickets are verified Connection is established at end；

Retransmission unit 504 receives the resource access request that the terminal is sent for the connection based on foundation, and to resource Server forwards the resource access request.

In one embodiment, with reference to Fig. 5 b, which can also include connection control unit 505；

Control unit 505 is connected, can be used for:

Receive the disconnecting instruction that access control apparatus is sent；

According to all connections of the disconnecting instruction breaks and the terminal.

In one embodiment, the resource access request carries the access tickets；The retransmission unit 504 can be specific For:

Connection based on foundation receives the resource access request that the terminal is sent；

The checking request for carrying the access tickets is sent, to the access control apparatus so that access control apparatus is to institute Access tickets are stated to be verified；

When the access tickets are verified, the resource access request is forwarded to Resource Server.

From the foregoing, it will be observed that resource access device provided in an embodiment of the present invention receives what terminal was sent by receiving unit 501 Request is established in connection, and the connection establishes request and carries the access tickets；It is sent from authentication unit 502 to access control apparatus The checking request of the access tickets is carried, is verified to access server to the access tickets；By connection unit 503 When the access tickets are verified, request is established according to the connection and establishes connection with the terminal；By retransmission unit 504 Connection based on foundation receives the resource access request that the terminal is sent, and forwards the resource access to ask to Resource Server It asks.The program can act on behalf of all resource access requests by gateway, and conjunction is controlled by issuing access tickets Method accessing terminal to network so that terminal can not directly access the resource of Intranet, while only allowing the accessible Intranet of credit process Resource；Even if user terminal is by hacker attacks in this way, the hack tool in terminal also can not cause to invade to sensitive resource, significantly The resource resource security of promotion.

In order to better implement above method, the embodiment of the present invention also provides another resource access device, which visits Ask that device specifically can integrate in access control apparatus.

For example, as shown in Figure 6 a, the resource access device may include receiving unit 601, information acquisition unit 602, really Order member 603 and bill transmission unit 604, as follows:

First receiving unit 601, for receiving the bill application request of terminal transmission；

Information acquisition unit 602, for requesting legal assessment information according to the bill application request；

Determination unit 603, for determining whether current resource access request closes according to the legal assessment information of request Method；

Bill transmission unit 604, for when the determination unit determines that current resource access request is legal, Xiang Suoshu Terminal sends access tickets；

Second receiving unit 605, for receiving the checking request of gateway transmission, the checking request carries the visit Ask bill；

Note validating unit 606 for verifying to the access tickets, and sends bill to the gateway and tests Demonstrate,prove result.

In one embodiment, the legal assessment information of the request includes: progress information, needs the resource information accessed, sets Standby information and the subscriber identity information for requesting user；With reference to Fig. 6 b, the determination unit 603 may include:

Subelement 6031 is completely determined, for determining whether the terminal is safe according to the legal assessment information of request；

Process determines subelement 6032, for it is described completely determine subelement and determine safe when, then according to the process Information determines whether the process of current accessed resource is legal；

Authentication subelement 6033, when for determining that process is legal, then according to the subscriber identity information to currently asking The identity of user is asked to verify；

Subelement 6034 is verified, for passing through when authentication, then the resource access authority of current request user is carried out Verification；If verification passes through, it is determined that current bill application request is legal.

In one embodiment, with reference to Fig. 6 c, which can also include: data capture unit 607；

The data capture unit 607, the heartbeat that resource access log and terminal for acquisition request user are sent Data；

It is described to completely determine subelement 6031, it is used for:

Determine whether the heartbeat of terminal is abnormal, obtains heartbeat abnormal results according to the heartbeat data；

According to the heartbeat abnormal results, abnormal behavior analysis result and the legal assessment information of request, obtain Take the security level of the terminal；

When the security level is greater than predetermined level, the terminal security is determined.

In one embodiment, described to completely determine subelement 6031, it is also used to:

List of devices is obtained, the list of devices includes the equipment identification information and subscriber identity information mutually bound；

It determines that the list of devices whether there is to believe with the device identification of the subscriber identity information binding of the request user Breath, obtains equipment definitive result；

According to the equipment definitive result, the heartbeat abnormal results, abnormal behavior analysis result and described ask Legal assessment information is sought, the security level of the terminal is obtained.

In one embodiment, the verification subelement 6034, for obtaining current request user when authentication passes through The default access information of attribute information and resource to be visited in default organizational structure；

According to the attribute information and the default access information, to the resource access authority of current request user into Row verification.

In one embodiment, with reference to Fig. 6 d, which can also include secure processing units 608；

The secure processing units 608, can be specifically used for:

The safety state information that real-time reception terminal is sent；

Determine whether the safe condition of the terminal is abnormal according to the safety state information；

If abnormal, disconnecting instruction is sent to gateway.

In one embodiment, with reference to Fig. 6 d, which can also include registering unit 609；

The registering unit 609, can be specifically used for:

The facility registration request that reception terminal is sent, the facility registration request carrying subscriber identity information and terminal Facility information；

The subscriber identity information is verified, if being verified, by the equipment identification information and the user Identity information is bound, and updates list of devices.

When it is implemented, the above modules can be used as independent entity to realize, any combination can also be carried out, is made It is realized for same or several entities, the specific implementation of the above modules can be found in the embodiment of the method for front, herein not It repeats again.

From the foregoing, it will be observed that resource access device provided in an embodiment of the present invention receives what terminal was sent by receiving unit 601 Bill application request；Legal assessment information is requested according to the bill application request by information acquisition unit 602；By determining Unit 603 determines whether current resource access request is legal according to the legal assessment information of request；By bill transmission unit 604 when the determination unit determines that current resource access request is legal, and Xiang Suoshu terminal sends access tickets；It is connect by second It receives unit 605 and receives the checking request that gateway is sent, the checking request carries the access tickets；By note validating list First 606 pairs of access tickets are verified, and send note validating result to the gateway.The program can pass through net All resource access requests of proxy for equipment are closed, and control legal terminal access network by issuing access tickets, so that Terminal can not directly access the resource of Intranet, while only allow the accessible Intranet resource of credit process；Even if user is whole in this way End is by hacker attacks, and the hack tool in terminal also can not cause to invade to sensitive resource, the resource resource security greatly promoted.

The embodiment of the present invention also provides a kind of terminal.As shown in fig. 7, it illustrates terminals involved in the embodiment of the present invention Structural schematic diagram, specifically:

The terminal may include one or processor 701, one or more calculating of more than one processing core The components such as memory 702, power supply 703 and the input unit 704 of machine readable storage medium storing program for executing.It will be understood by those skilled in the art that The restriction of the not structure paired terminal of terminal structure shown in Fig. 7 may include than illustrating more or fewer components or group Close certain components or different component layouts.Wherein:

Processor 701 is the control centre of the terminal, using the various pieces of various interfaces and the entire terminal of connection, By running or execute the software program and/or module that are stored in memory 702, and calls and be stored in memory 702 Data, execute terminal various functions and processing data, thus to terminal carry out integral monitoring.Optionally, processor 701 can Including one or more processing cores；Preferably, processor 701 can integrate application processor and modem processor, wherein The main processing operation system of application processor, user interface and application program etc., modem processor mainly handles channel radio Letter.It is understood that above-mentioned modem processor can not also be integrated into processor 701.

Memory 702 can be used for storing software program and module, and processor 701 is stored in memory 702 by operation Software program and module, thereby executing various function application and data processing.Memory 702 can mainly include storage journey Sequence area and storage data area, wherein storing program area can the (ratio of application program needed for storage program area, at least one function Such as sound-playing function, image player function) etc.；Storage data area, which can be stored, uses created data according to terminal Deng.In addition, memory 702 may include high-speed random access memory, it can also include nonvolatile memory, for example, at least One disk memory, flush memory device or other volatile solid-state parts.Correspondingly, memory 702 can also include Memory Controller, to provide access of the processor 701 to memory 702.

Terminal further includes the power supply 703 powered to all parts, it is preferred that power supply 703 can pass through power-supply management system It is logically contiguous with processor 701, to realize the functions such as management charging, electric discharge and power managed by power-supply management system. Power supply 703 can also include one or more direct current or AC power source, recharging system, power failure detection circuit, The random components such as power adapter or inverter, power supply status indicator.

Although being not shown, terminal can also be including display unit etc., and details are not described herein.Specifically in the present embodiment, eventually Processor 701 in end can be corresponding executable by the process of one or more application program according to following instruction File is loaded into memory 702, and the application program being stored in memory 702 is run by processor 701, to realize Various functions are as follows:

In one embodiment, following steps can also be performed from processor 701:

In one embodiment, before needing to access resource, following steps are can also be performed in processor 701:

To the access control apparatus sending device registration request, facility registration request carry subscriber identity information with And the facility information of terminal.

The specific implementation of above each operation can be found in the embodiment of front, and details are not described herein.

With reference to Fig. 8, it may include processor 801 and memory 802 that present invention implementation, which additionally provides a kind of network equipment,； Processor 801 in equipment can be held the process of one or more application program is corresponding according to following instruction Style of writing part is loaded into memory 802, and the application program being stored in memory 802 is run by processor 801, thus real Existing various functions.

For example, following function may be implemented when equipment is gateway:

It receives the connection that terminal is sent and establishes request, the connection establishes request and carries the access tickets；It is controlled to access Control equipment sends the checking request for carrying the access tickets, verifies to access server to the access tickets；When When the access tickets are verified, request is established according to the connection and establishes connection with the terminal；Connection based on foundation The resource access request that the terminal is sent is received, and forwards the resource access request to Resource Server.

For another example, when equipment is access control apparatus, following function may be implemented:

Receive the bill application request that terminal is sent；Legal assessment information is requested according to the bill application request； Determine whether current bill application request is legal according to the legal assessment information of the request；If legal, then it is sent out to the terminal Send access tickets；The checking request that gateway is sent is received, the checking request carries the access tickets；To the access Bill is verified, and sends note validating result to the gateway.

From the foregoing, it will be observed that the terminal of the present embodiment, access control apparatus and gateway mutual cooperation can pass through gateway All resource access requests of proxy for equipment, and legal terminal access network is controlled by issuing access tickets, so that eventually End can not directly access the resource of Intranet, while only allow the accessible Intranet resource of credit process；Even if user terminal in this way By hacker attacks, the hack tool in terminal also can not cause to invade to sensitive resource, the resource resource security greatly promoted.

It will appreciated by the skilled person that all or part of the steps in the various methods of above-described embodiment can be with It is completed by instructing, or relevant hardware is controlled by instruction to complete, which can store computer-readable deposits in one In storage media, and is loaded and executed by processor.

For this purpose, the embodiment of the present invention provides a kind of storage medium, wherein being stored with a plurality of instruction, which can be processed Device is loaded, to execute the step in any resource access method provided by the embodiment of the present invention.For example, the instruction can To execute following steps:

When needing to access resource, access tickets acquisition request is sent to network insertion client；The network is received to connect Enter the access tickets of client return, the access tickets, which are based on access tickets acquisition by the network insertion client, asks It asks and is obtained from access control apparatus；Connection is sent to the gateway of network and establishes request, and the connection establishes request and carries institute State access tickets；When being successfully established connection, the resource access request is sent based on described connect to the gateway, with Toilet states Resource Server of the gateway into the network and forwards the resource access request.

In one embodiment, which can also be performed following steps:

Specific implementation may refer to the embodiment of front, and details are not described herein.

Wherein, which may include: read-only memory (ROM, Read Only Memory), random access memory Body (RAM, Random Access Memory), disk or CD etc..

By the instruction stored in the storage medium, any resource provided by the embodiment of the present invention can be executed and visited The step in method is asked, it is thereby achieved that achieved by any resource access method provided by the embodiment of the present invention Beneficial effect is detailed in the embodiment of front, and details are not described herein.

It is provided for the embodiments of the invention a kind of resource access method, device and storage medium above and has carried out detailed Jie It continues, used herein a specific example illustrates the principle and implementation of the invention, and the explanation of above embodiments is only It is to be used to help understand method and its core concept of the invention；Meanwhile for those skilled in the art, according to the present invention Thought, there will be changes in the specific implementation manner and application range, in conclusion the content of the present specification should not be construed as Limitation of the present invention.

Claims

1. a kind of resource access method, which is characterized in that be suitable for terminal, comprising:

The access tickets that the network insertion client returns are received, the access tickets are based on by the network insertion client The access tickets acquisition request is obtained from access control apparatus；

When being successfully established connection, resource access request is sent based on described connect to the gateway, so as to the gateway Resource Server of the equipment into the network forwards the resource access request.

2. resource access method as described in claim 1, which is characterized in that further include:

3. resource access method as described in claim 1, which is characterized in that before needing to access resource, further includes:

To the access control apparatus sending device registration request, the facility registration request carries subscriber identity information and end The equipment identification information at end；

4. resource access method as claimed in claim 3, which is characterized in that the registration of Xiang Suoshu access control apparatus sending device Request, comprising:

When terminal booting, in running background network insertion client；

5. a kind of resource access method, which is characterized in that be suitable for gateway, comprising:

The checking request for carrying the access tickets is sent, to access control apparatus to access server to the access tickets It is verified；

Connection based on foundation receives the resource access request that the terminal is sent, and forwards the resource to visit to Resource Server Ask request.

6. a kind of resource access method, which is characterized in that be suitable for access control apparatus, comprising:

Receive the bill application request that terminal is sent；

If legal, then access tickets are sent to the terminal；

7. resource access method as claimed in claim 6, which is characterized in that the legal assessment information of request includes: process Resource information, facility information and the subscriber identity information for requesting user that information, needs access；

Determine whether current bill application request is legal according to the legal assessment information of the request, comprising:

Determine whether the terminal is safe according to the legal assessment information of request；

If safety, determines whether the process of current accessed resource is legal according to the progress information；

8. resource access method as claimed in claim 7, which is characterized in that further include:

The heartbeat data that the resource access log and terminal of acquisition request user is sent；

Determine whether terminal is safe according to the legal assessment information of request, comprising:

Anomaly analysis is carried out to the resource access behavior of request user according to resource access log, obtains abnormal behavior analysis knot Fruit；

According to the heartbeat abnormal results, abnormal behavior analysis result and the legal assessment information of request, institute is obtained State the security level of terminal；

9. resource access method as claimed in claim 7, which is characterized in that further include:

It determines that the list of devices whether there is the equipment identification information with the subscriber identity information binding of the request user, obtains Equipment definitive result；

According to the heartbeat abnormal results, abnormal behavior analysis result and the legal assessment information of request, institute is obtained State the security level of terminal, comprising:

It is closed according to the equipment definitive result, the heartbeat abnormal results, abnormal behavior analysis result and the request Method assesses information, obtains the security level of the terminal.

10. resource access method as claimed in claim 7, which is characterized in that the resource access authority of current request user It is verified, comprising:

Obtain the default access information of attribute information and to be visited resource of the current request user in default organizational structure；

According to the attribute information and the default access information, school is carried out to the resource access authority of current request user It tests.

11. a kind of resource access device, which is characterized in that be suitable for terminal, comprising:

Ticket requests unit, for sending access tickets acquisition request to network insertion client when needing to access resource；

Ticket recipient unit, the access tickets returned for receiving the network insertion client, the access tickets are by described Network insertion client is based on the access tickets acquisition request and obtains from access control apparatus；

Connection unit establishes request for sending connection to the gateway of network, and the connection establishes request and carries the visit Ask bill；

Access unit, for sending the resource access based on described connect to the gateway when being successfully established connection Request, so that Resource Server of the gateway into the network forwards the resource access request.

12. a kind of resource access device, which is characterized in that be suitable for gateway, comprising:

Request is established in receiving unit, the connection for receiving terminal transmission, and the connection establishes request and carries the access tickets；

Authentication unit, for sending the checking request for carrying the access tickets to access control apparatus, to access server The access tickets are verified；

Connection unit, for establishing request according to the connection and being established with the terminal when the access tickets are verified Connection；

Retransmission unit receives the service request that the terminal is sent for the connection based on foundation, and forwards to service server The service request.

13. a kind of resource access device, which is characterized in that be suitable for access control apparatus, comprising:

First receiving unit, for receiving the bill application request of terminal transmission；

Bill transmission unit, for when the determination unit determines that current resource access request is legal, Xiang Suoshu terminal to be sent out Send access tickets；

Second receiving unit, for receiving the checking request of gateway transmission, the checking request carries the access tickets；

Note validating unit sends note validating result for verifying to the access tickets, and to the gateway.

14. a kind of storage medium, which is characterized in that the storage medium is stored with a plurality of instruction, and described instruction is suitable for processor It is loaded, the step in 1 to 10 described in any item resource access methods is required with perform claim.

15. a kind of terminal, which is characterized in that including processor and memory, the memory is stored with a plurality of instruction, the place Device load described instruction is managed with the step in perform claim 1 to 4 described in any item resource access methods of requirement.